troldesh | 035689dbe90430303d04428eca5e0acae1fc79df2ee80cc802baabe6085ae3a2

Analysis

max time kernel
132s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00327.7z
Size

3.7MB
MD5

b3af9816cd60148658c913a2e987f11a
SHA1

a112327ece8d0bf078c76497a5b3bb3b825e1d2c
SHA256

035689dbe90430303d04428eca5e0acae1fc79df2ee80cc802baabe6085ae3a2
SHA512

0936582c48b40ed62a061588ec7f807d41ff85a6e67535b1bbafae0dcaa58bbb9a7b5be2b0ccd6c64db86652e88727c1bfc4898a75ddca483c02b1faf6488fa2
SSDEEP

98304:7s6VlzLDXInXTtmVs3ZUfuvhdRtNWkfWzNXzG7OG/rF:wUvETX3ZxhBVGH+5

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 10 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exeHEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeTrojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exeTrojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exeTrojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exeHEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exeTrojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exeTrojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

pid	process
2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
1484	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2864	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
2888	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
1964	Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
812	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

Loads dropped DLL 8 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeWerFault.exe

pid	process
2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whoer.net
7 whoer.net

flow	ioc
6	whoer.net
7	whoer.net

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 1 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

description	pid	process	target process
PID 2844 set thread context of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe	upx
behavioral1/memory/2044-44-0x000000005B220000-0x000000005B2A5000-memory.dmp	upx
behavioral1/memory/812-66-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-65-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-64-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-68-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-62-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2044-1278-0x000000005B220000-0x000000005B2A5000-memory.dmp	upx
behavioral1/memory/812-1279-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1280-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2044-1282-0x000000005B220000-0x000000005B2A5000-memory.dmp	upx
behavioral1/memory/812-1283-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1288-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1290-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1292-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1294-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1298-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/812-1300-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
2040	1684	WerFault.exe	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exeTrojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeTrojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exeHEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exeTrojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1544 net.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

1484 NOTEPAD.EXE
2196 NOTEPAD.EXE

pid	process
1544	net.exe

pid	process
1484	NOTEPAD.EXE
2196	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exeHEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeHEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exeTrojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exeTrojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exeTrojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe

pid	process
2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
1484	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
2888	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
2864	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeTrojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exeHEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exeTrojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

pid	process
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
812	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
812	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
2864	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
2944	taskmgr.exe
2944	taskmgr.exe
1484	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2944 taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

pid	process
2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

description	pid	process
Token: SeRestorePrivilege	2744	7zFM.exe
Token: 35	2744	7zFM.exe
Token: SeSecurityPrivilege	2744	7zFM.exe
Token: SeDebugPrivilege	2944	taskmgr.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
Token: SeLoadDriverPrivilege	2096	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
2744	7zFM.exe
2744	7zFM.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

pid process

2044 Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

pid	process
2044	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

cmd.exeTrojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.execmd.exeTrojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exeHEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 2096	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
PID 1060 wrote to memory of 2096	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
PID 1060 wrote to memory of 2096	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
PID 1060 wrote to memory of 2096	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
PID 1060 wrote to memory of 1484	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
PID 1060 wrote to memory of 1484	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
PID 1060 wrote to memory of 1484	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
PID 1060 wrote to memory of 1484	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
PID 1060 wrote to memory of 2844	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 1060 wrote to memory of 2844	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 1060 wrote to memory of 2844	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 1060 wrote to memory of 2844	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2888	1060	cmd.exe	HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
PID 1060 wrote to memory of 2232	1060	cmd.exe	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
PID 1060 wrote to memory of 2232	1060	cmd.exe	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
PID 1060 wrote to memory of 2232	1060	cmd.exe	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
PID 1060 wrote to memory of 1964	1060	cmd.exe	Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
PID 1060 wrote to memory of 1964	1060	cmd.exe	Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
PID 1060 wrote to memory of 1964	1060	cmd.exe	Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
PID 1060 wrote to memory of 2044	1060	cmd.exe	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
PID 1060 wrote to memory of 2044	1060	cmd.exe	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
PID 1060 wrote to memory of 2044	1060	cmd.exe	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
PID 1060 wrote to memory of 2044	1060	cmd.exe	Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
PID 1060 wrote to memory of 1684	1060	cmd.exe	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
PID 1060 wrote to memory of 1684	1060	cmd.exe	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
PID 1060 wrote to memory of 1684	1060	cmd.exe	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
PID 1060 wrote to memory of 1684	1060	cmd.exe	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
PID 1060 wrote to memory of 2864	1060	cmd.exe	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
PID 1060 wrote to memory of 2864	1060	cmd.exe	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
PID 1060 wrote to memory of 2864	1060	cmd.exe	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
PID 1060 wrote to memory of 2864	1060	cmd.exe	Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
PID 2232 wrote to memory of 2916	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2232 wrote to memory of 2916	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2232 wrote to memory of 2916	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2916 wrote to memory of 1544	2916	cmd.exe	net.exe
PID 2916 wrote to memory of 1544	2916	cmd.exe	net.exe
PID 2916 wrote to memory of 1544	2916	cmd.exe	net.exe
PID 1684 wrote to memory of 2040	1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe	WerFault.exe
PID 1684 wrote to memory of 2040	1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe	WerFault.exe
PID 1684 wrote to memory of 2040	1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe	WerFault.exe
PID 1684 wrote to memory of 2040	1684	Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe	WerFault.exe
PID 2844 wrote to memory of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 2844 wrote to memory of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 2844 wrote to memory of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 2844 wrote to memory of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 2844 wrote to memory of 812	2844	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe	HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
PID 2232 wrote to memory of 2196	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	NOTEPAD.EXE
PID 2232 wrote to memory of 2196	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	NOTEPAD.EXE
PID 2232 wrote to memory of 2196	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	NOTEPAD.EXE
PID 2232 wrote to memory of 2176	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2232 wrote to memory of 2176	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2232 wrote to memory of 2176	2232	Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe	cmd.exe
PID 2176 wrote to memory of 2020	2176	cmd.exe	choice.exe
PID 2176 wrote to memory of 2020	2176	cmd.exe	choice.exe
PID 2176 wrote to memory of 2020	2176	cmd.exe	choice.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00327.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
  HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
  HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
  HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
    HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:812
- C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
  HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2888
- C:\Users\Admin\Desktop\00327\Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
  Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\cmd.exe
    "cmd" /C net view
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\net.exe
      net view
      4⤵
      Discovers systems in the same network
      PID:1544
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Instruction.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2020
- C:\Users\Admin\Desktop\00327\Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
  Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
  Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
  Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2040
- C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
  Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Instruction.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1484

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\Instruction.txt

Filesize
172B

MD5
990722d7f7e68959dedda673860d57ea

SHA1
b51902e30ff82e1cfef5aad6fb5c50a4db52d076

SHA256
8d5c3c49965c2c3ee4d4c90f85a4d1f6b33e16fc9c7c1003219a1594b29d3310

SHA512
6238bd67e7fa0d3f38d6800ac2bdc0913f5640b419a1314cbea0e15f8681e90b8031491b3fbfe886ec420e5b2a80837d0267d7740d2413394572a6ba71daccf0

Download Submit
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

Filesize
540B

MD5
93a82c5f5e39b8f6799b113ed9e71db0

SHA1
12d92cf9d8011f101645c210e4bf2bf3a38afc12

SHA256
99d10d3071e9f82dac7e2d83a9eb54c1e57fee05b361e0e582ea3af7d0291be7

SHA512
a1939f034c6ff31af276bc3bb5c02a0f92f2e175afddcc66e81f61a94790a638488c2ba8ee6c6466d3974fa86fb6123f4a81418e83f0e0d3eb40224934dec9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorLogAes.bin

Filesize
966B

MD5
91fa7f3b1bc59fbe5debfd8781c053f3

SHA1
c206c33ef132c48de15a0a05ebfef9e3d8f74270

SHA256
3298ff5b974ef03b71cda8add131f2850a0564fe4ec5d8e31710bd4b5f8834c0

SHA512
18050f347ec533fac72b275da057017cd3a6b657daa2ec341db1a64db39ad9a27173b7b87c2822518994f8c1fb9e3f7a35e7d6dbf876e5555c1e40e4560d33b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorLogAes.bin

Filesize
1KB

MD5
a336e98718ef2687fc141efdf026f2a3

SHA1
9c093c0ed1984706e01a19199a25633199db8baa

SHA256
49f6a0a93e85380ad9c56865037bba3230a2bf45c6152cb7bc7703e713aaaf49

SHA512
f148fd08797e1cfcfd91702ec473bb9021a2a6fce94e0721e8e8cd27c282b1fbd283f91c8ab387f5990c20604295517f12e79157c8bf315e033eb22a0c027a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorLogAes.bin

Filesize
1KB

MD5
9872ef2ba126c23d27704907391b9333

SHA1
e47df8b655b41143e8f66b44d5442bd2d06b6f3b

SHA256
72b55319a59981741d4017aa960e44102b436d7da984ce7296513b5f9242f115

SHA512
831a0139b3731f096ccd02c2221be235c36159c30f2f6d81247e7fde2d21ebef2ea319f744c9504cc83645e6e16f4eba68fbc84e46f79e02def3ff18354dec3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorLogAes.bin

Filesize
1KB

MD5
35bf5d2d29e4bab56f35ed258bb6bd3c

SHA1
e2f054e6e0a0c3f2556e1f64a1e9ad6445ec24a5

SHA256
c0245f858bbcf577a58d2eab8c6e219170198822f9d5fd466cd2caa12721007f

SHA512
8a6b3b59552da514831b6d78554a4f906c1ffc0c7c39843f7990f1a21a984ebafdbf8fd04bc1ca89cb04771d45c33417abb20cefae847381e5746d2755769346

Download Submit
C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1.exe

Filesize
251KB

MD5
9f1cc2514a6832d990ac40ab5e6536f1

SHA1
3429080368271fcf56e0b7abd40d3f1d72ffe2ce

SHA256
af9626a382b7cbd8167bcac24b83cef06348628b0f59c2f6a4806607b0cc56c1

SHA512
7a4566eb6770d2dbdeb65b9b434826b8ac47b75a67c66ad9d442f0d71a39252bf8d9781d88165c1c746429e5de6b6f009a1200e2a3d17d17d24338e6908ee8d0

Download Submit
C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Generic-d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e.exe

Filesize
799KB

MD5
894d389aff0478032ca7d6f345e563a1

SHA1
a930776b6616df483648ae1cb10db73b6cff884c

SHA256
d233e0fab2c4c1e0ff17bce5e4e0d38ae40c43ea10f627302e315dcc2d6e807e

SHA512
f8a419b209ae3be46fcb80f19c4ee746cdb0dfce6528fe8f14b3923e6fa12a1e7be771ae6849241bd0fcb5e417ae3b3df8ceb6957205e8903a2d1ce6500fa603

Download Submit
C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Locky.gen-88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7.exe

Filesize
942KB

MD5
9536ee1eec864611d658686457c94f2f

SHA1
fd97919ea4824d30851dcffe27b1f638f2b9c3d0

SHA256
88226fa42c43ef6b2668e0c28034c20b73d3d9148c3e68441ca3abddf7d47eb7

SHA512
af2b4c4e34a600f84ca516d48ee2ed0b59c3fd724bdcf2de1ca5e51577243b9e2bce86e6e8d8b4d3b4aae5c20676bcb3b959266ee4ad6353a147b64049b3610f

Download Submit
C:\Users\Admin\Desktop\00327\HEUR-Trojan-Ransom.Win32.Onion.gen-beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541.exe

Filesize
1.7MB

MD5
9b4ba558a4fb0ab7418312aec5b37e25

SHA1
6f8f128c3db2b8a804bc544e06d0ea9325326d27

SHA256
beecaaeeb905fafeb16b27b612b904575b7506683c14c7486d24e2ff1cf3b541

SHA512
996cbfc87af43ade6a3f901b0a8e3c84ebd1b47dd1c87fc422a22e740252374ee771ee8e9b65e0901e0deb7da7a3035e8f53c04b4936e3f23fcb4d32459a88ed

Download Submit
C:\Users\Admin\Desktop\00327\Trojan-Ransom.MSIL.Agent.fqmk-207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392.exe

Filesize
90KB

MD5
2d3f9e64078eefbf2ec6b7b4e39f7cc8

SHA1
b6c133d1c01c78dba187098fcdb6f33ef4a76afb

SHA256
207f0dc71dff2c4a043a7dbca8b6f406f33778f30dbf4172b87900b62cd57392

SHA512
ce75ae1400b0089dbf334a20e633ec81c8b73482c4e7776906449ba3174543f85a5373789b393eab1c3cad526ee6f704be2804fea7945bffc618f1fe0f43df88

Download Submit
C:\Users\Admin\Desktop\00327\Trojan-Ransom.MSIL.Samas.f-58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e.exe

Filesize
213KB

MD5
868c351e29be8c6c1edde315505d938b

SHA1
8fb40188f21eb689deffb36438fac45bfed5c2ca

SHA256
58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e

SHA512
301804e15c9d0012acf236b0411dab693a05760f3f3da318249e359aa8992786ec60462d6adce16c5f615664d2d6c1bf152bd9131f7d606a881278c3f0d0df9b

Download Submit
C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.Foreign.oajl-087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449.exe

Filesize
295KB

MD5
a4bac6bee748a375609d4de477f99fe0

SHA1
00f9b863a0bd6962bbf93113b5fd12f16b961477

SHA256
087b46b4b26e3db64014daee9eb944c577c964a768e58615e5f9852721fd7449

SHA512
f94e20cd198349ad66dfabd5aa07e991bf51588c593df21a927e5d7fdb0767c84dc3e250c5ab519ab14e18b03f325df9e17a8bf80056b719c350422c2c0ca525

Download Submit
C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.GandCrypt.bmp-562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e.exe

Filesize
293KB

MD5
86131a6b0b872e016b927a2fdb0345fe

SHA1
f28a6882985e96fe42158561d767ec7d866c6983

SHA256
562517caab34d8e848c70f8955088fd3076c9fc5e3e5d97bbf311990035f871e

SHA512
7b81fb756208c2065ad5da9bf3dcd9fded5ec1e3c148bcae0b18e5a0d5fd9e772a05206bd1c5bbbe2d261e6e505a580e8420fe527385eb2648fdd04094f9cac5

Download Submit
C:\Users\Admin\Desktop\00327\Trojan-Ransom.Win32.Purga.hg-68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41.exe

Filesize
822KB

MD5
72b7203d1ee3a0ab42de45c24472653c

SHA1
3630a9558d8fc13043d3277eb202a8a0c330d7b3

SHA256
68e4802c95e1f76e28e9c1fb1066dd44a495816fcb3c6461eff4101f0eb91b41

SHA512
294240e844ca552908e0bab8d76e628b1f1a4376c87f8aac89f289870b2517aedcb9d39bfec4e395056d4ccad4bb6ad7e41e741a1ef2d1556c8e2cb0b36ec18f

Download Submit
\Users\Admin\AppData\Local\Temp\nseDFD6.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/812-1279-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1294-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-62-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1300-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1280-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-68-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-64-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-65-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-66-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1298-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1283-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1292-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1290-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/812-1288-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1484-105-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1684-106-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2044-1286-0x000000005B220000-0x000000005B2A5000-memory.dmp

Filesize
532KB

Download
memory/2044-1282-0x000000005B220000-0x000000005B2A5000-memory.dmp

Filesize
532KB

Download
memory/2044-1284-0x000000005B220000-0x000000005B2A5000-memory.dmp

Filesize
532KB

Download
memory/2044-1278-0x000000005B220000-0x000000005B2A5000-memory.dmp

Filesize
532KB

Download
memory/2044-44-0x000000005B220000-0x000000005B2A5000-memory.dmp

Filesize
532KB

Download
memory/2096-1276-0x0000000000400000-0x0000000000E28000-memory.dmp

Filesize
10.2MB

Download
memory/2232-45-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/2864-72-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2944-18-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2944-19-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download